Reflections on Cybersecurity: Lessons from 30 Years in the Industry

I’m sitting at my (messy) desk right now, holding my third cup of coffee, high as a kite from just returning from DefCon’s hardware hacking village. It’s hilarious ― the more things change, the more they remind me of how things were when we started. I started working in the industry a long time ago in 1993 as a network admin dealing with PSTN multiplexers (the big fat gray boxes that carried voice and data). It was all analog back then, but the security issues were no less nerve-racking. Fast forward nearly 30 years, and today I run my own cybersecurity company, and I spend my time helping banks and businesses design zero-trust architectures that can actually withstand today’s threats.

But here’s the thing. Regardless of the shiny new technology and buzzwords, some things never change. Think of the Slammer worm incident in 2003— that showed how something as simple as a bug in a SQL Server could jump to massive levels in a matter of minutes around the world. I remember thinking, I really want to be doing more proactive defense, not reactive firefighting. It has formed a lot of what I believe today.

What I Learned: Applied Knowledge, Not Just Book Knowledge

Network security is not only fancy gear or software. It’s about knowing how your architecture is going to behave when it’s under strain.

  • The best security systems will fail when the human element is not considered.
  • Zero-trust is more than just another buzzword — it’s what finally led three banks I worked with to start seriously reducing their attack surface.

Allow me to unpack some of these points.

The Long Hard Road to Modern Firewalls

When I was knee deep in multi-plexed voice + data circuits security meant limiting who could get in and perhaps some rudimentary authentication. Oh, and praying that your phone lines had not been tapped. The concept of a firewall was just beginning to make it to the mainstream. Today, firewalls do a lot more—they’re gatekeepers, traffic cops, and occasionally the front line of incident detection.

But here’s the kicker:

There is no such thing as a silver-bullet firewall.

I have seen companies drop tons of cash on next-gen firewalls and still get breached because they ignored basic network hygiene — segmentation, patching, monitoring. The best firewall in the world won’t protect your data if your users don’t recognize a phishing attack, or your credentials are weak. And speaking of which — password policies drive me up the wall. Because,

password-changing 12-character passwords every month complexity rules? Useless.

People write them down or, worse yet, just tack on a number at the end. Better to train people to use long passphrases.

Like a perfectly prepared biryani, security requires the exact mixture of ingredients in correct proportions with proper timing, but overusing spices (password complexity) makes it unpalatable.

Zero Trust Architecture – Not A Buzzword, But It Helps With The Others

Recently, I assisted three banks in completely transforming their security models to zero trust. And I’ve got to tell you: the journey was as tough as I thought it would be.

Zero trust means:

  • Never trust, always verify.
  • (Almost) everywhere there is least privilege access.
  • On-going, up-to-date device and end-point validation.

That means replacing the old castle-and-moat mentality that treated everything inside the network as trustworthy by default. Instead, we inspect every user, device and request.

These were banks with legacy system and dense workflows, which made implementation difficult.

But here’s what worked:

  •  Segment the hell out of your networks. No one should gain access to more than what they absolutely want.
  • Multi-factor authentication — no longer an option.
  • Micro-segmentation on sensitive data flows.

Pro tip: Don’t just pick up some AI-powered whiz-bang solution and glimpse the future. There is so much smoke around AI in cybersecurity. It’s useful for analysis and sorting and so forth but it can’t fix bad architecture and sloppy operations.

Reflections on HHV (not the kiddy D-con) – Why I came away from DCXXV both Happy and a little Sad

You’d suppose after almost 30 years in security that I’d be numb to hardware hacks. Nope. Observing the inventiveness at DefCon’s hardware hacking village reminded me of how neglected physical security and vulnerabilities present in embedded devices remain.

And that worries me. For all the cloud hoopla, your on-premise gear — routers, switches, firewalls — is still a huge point of vulnerability. I mean, if somebody can take a crowbar to your firewall or router’s chassis, reset it or upload some new malicious firmware, what’s your endgame?

Here’s a real takeaway:

  • Regularly review the physical hardware, not just the software.
  •  Use of tamper-evident seals and records.
  • Have incident response plans for hardware compromise.

Cause, believe me, the attackers you’re up against these days, have some Star Wars stuff.

Quick Take: What You Can Do Today

  • Patch early, patch often
  • Quit depending on the strength of your passwords. Educate your teams on how to use passphrases
  • Use network segments just like a chef uses ingredients for the perfect flavour – it’s all about keeping things balanced.
  • Just because the marketing says it’s AI-powered doesn’t mean it works
  • Spend money on physical security audits of important hardware
  • Monitor, monitor, monitor. Logs and alerts are your work early warning system

In conclusion – The Importance of Experience in Cybersecurity

I get asked a lot why I share my stories—dating back to the days of PSTN multiplexers to today’s zero-trust rollouts. But here’s what I continue to see:

Companies regard cybersecurity as an expense or something to check off. But it’s a changing battlefield. The threats evolve, but the principles — situational awareness, control, response — are as old as combat. The Slammer worm was a wake-up call to all. These days, it’s ransomware gangs and hardware hackers who are the canaries in the digital coal mine.

And I’m here to tell you, no matter how many waves of new tech and fancy terms, what you got in the bank means something. What you need is somebody who’s been in the trenches and can piece together the puzzle, all the way from hardware, through network policies and on to user behavior.

Security isn’t glamorous. Yes, sometimes it’s boring and frustrating and horribly complex. Yet getting it right can be the difference between a business that thrives and one that spends millions picking up the pieces after breaches uncover gaping holes that should have been patched.

So if you are a business owner or IT leader, don’t just chase the next shiny object. Start with the basics — and ensure that your chosen cybersecurity partner (hint, hint) has the scars (and stories) to prove they were there.

OK, coffee No. 4. But first, one last thing:

You are as safe as your most vulnerable link. That it not be ignorance or arrogance.

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.

sales@pjnetworks.com
(+91)9818361787
C-160 Mayapuri Ph II
Copyright © 2025 PJ Networks: Innovative Networking & Cybersecurity Experts, All Rights Reserved.